32 June 30, 2013 FCW.COM
assessment of each change that
they are contemplating.
• Look beyond changes that they
are contemplating to devices and
technologies that are coming into
the marketplace to consider how
to exploit their potential while miti-
gating the risk they might impose.
Responding to privacy concerns
With respect to information pri-
vacy, a "Code of Fair Information
Practices" rst articulated in 1973
underpins most privacy laws,
including the Privacy Act of 1974.
This code, while still valid, does
not address the new complexities
of working at the intersection of
privacy and security as informa-
tion moves more quickly and the
technology and potential wrong-
doers become more capable.
We need a new set of guide-
lines for leaders to follow that
[responds] to privacy concerns.
Privacy Concern One: Appro-
priate handling of personal
information. As noted above,
privacy and security are not inher-
ently in con ict. Indeed, the public
has a right to expect that agen-
cies will deploy robust security
measures to protect against both
intentional and inadvertent com-
promise of their personally iden-
ti able data. For the purposes of
determining what level of security
is appropriate, it may be helpful
to analogize to the public health
model. Most of us can protect
ourselves against common threats
by practicing good hygiene and
preventive medicine, but at-risk
populations, from the very old
and very young to those who may
be immune-compromised, must
employ more aggressive mea-
sures.
Recommendation: Agency risk
analysis should inform the level of
protection, detection and mitiga-
tion in terms of how deep to go in
addressing a cybersecurity threat.
Information and systems that con-
front high cyber risks or threats
should receive more oversight to
protect privacy. On the other hand,
for many agencies that do not pro-
cess highly sensitive personal infor-
mation, following the minimum
levels in relevant National Institute
of Standards [and Technology]
guidance may be suf cient.
Privacy Concern Two: Using
electronic surveillance. As the
nation s adversaries become more
skilled in the use of advanced
information technologies, pro-
tection of the nation s security
increasingly entails electronic
surveillance.
Recommendation: The govern-
ment should undertake a proper
review where cyber protection
requires individual surveillance
consistent with law. The following
guidelines are offered for such a
review:
• Agency head approval should
be required in cases where cyber
protection requires individual
surveillance. In cases of multiple
agency activity (e.g., the depart-
ments of Homeland Security and
Justice) [or] activity involving the
Executive Of ce of the President
or when exigencies require action
in the moment, prior review by
an independent entity such as the
president s [Privacy and] Civil Lib-
erties Oversight Board should be
required.
• Any review should be ex ante,
except in emergency cases when
notice should occur as soon as
possible thereafter.
• The content of messages should
be examined only in cases of high
risk or threat. Much can be accom-
plished by constant monitoring of
the pattern of traf c without look-
ing at the content of messages.
The recommended actions
outlined above are but steps in
the continuing journey to protect
our core values. Innovative uses
of information and communica-
tions technology will continue to
be developed. For example, how
many of us anticipated the wide-
spread use of portable devices,
social networking or new surveil-
lance technologies? Policy-makers
and those who operate the engines
of government need to continue to
adapt both its policies and prac-
tices to protect privacy and secu-
rity in a world that is not, in any
sense, standing still. ■
Franklin S. Reeder writes, consults
and teaches on information pol-
icy issues. He formerly served as
director of the White House s Of ce
of Administration and in several
senior positions at the Of ce of Man-
agement and Budget.
Bookshelf
Much can be done within
existing legal authorities to
mitigate the risk we assume in
using information technology.